Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.misc > #36425

Re: Guaranteeing SSH access to specific clients

From The Natural Philosopher <tnp@invalid.invalid>
Newsgroups comp.os.linux.misc
Subject Re: Guaranteeing SSH access to specific clients
Date 2022-12-09 13:29 +0000
Organization A little, after lunch
Message-ID <tmvd8a$15cgv$6@dont-email.me> (permalink)
References <tmtf02$1ufi$1@gioia.aioe.org> <op.1wvne71ia3w0dxdave@hodgins.homeip.net> <tmu2hq$18b6$1@gioia.aioe.org>

Show all headers | View raw

On 09/12/2022 01:20, Harold Johanssen wrote:
> On Thu, 08 Dec 2022 16:31:45 -0500, David W. Hodgins wrote:
> 
>> On Thu, 08 Dec 2022 14:47:14 -0500, Harold Johanssen
>> <noemail@please.net> wrote:
>>
>>> 	I don't know whether this is reasonable possible, but I thought
>>> I'd ask anyway, just in case:
>>>
>>> 	Is it possible to guarantee SSH to a specific client, to the
>>> exclusion of all other clients? In effect, all other connection would
>>> be immediately rejected, even before the SSH protocol exchange gets
>>> going. The following requirements must be met:
>>>
>>> 	- The SSH server must be listening on port 22.
>>> 	- The target client may connect from different, arbitrary IP
>>> addresses.
>>>
>>> 	This would be easily possible with tweaked SSH servers and
>>> clients, but I am not sure it can be done with off-the-shelf ones.
>>
>> Excluding all other clients would go against the fact that linux is a
>> multi-user system, so it's not a standard feature.
>>
>> killing the sshd server does not kill the working ssh connection(s), so
>> you could have a script run on login via ssh that kills the sshd server,
>> but you'd have to also figure out how to restart it after that
>> connection ends (intentionally or not).
>>
>> Why do you want to do this? There's probably a better way to lock things
>> when needed.
>>
>> Regards, Dave Hodgins
> 
> 	You misunderstood what I wrote. What I meant is the following:
> 
> 	I want to ssh into a specific system that I control, from
> wherever I am in the Internet. Any ssh connections from anybody else into
> that system, wherever they are coming from in the Internet, are
> automatically rejected - it is not that they are rejected when the wrong
> username and password are supplied; rather, their connection requests are
> rejected before the ssh protocol gets started. Can this be done, with the
> constraints that I specified?

I use a random sshd high port for this.
Ok if someone port scans they might find it.  But script kiddies are not 
so good as that.


> 
> 	This would be networking-related question: in a nutshell, if the
> TCP connection on port 22 is coming from me then it is forwarded to the
> ssh daemon; otherwise, it is dropped immediately. The problem is, how
> would the TCP code in my server know that the connection is coming me
> from me, as opposed to anybody else?
> 
As I said, either because it isn't on 22 at all, or because you ate 
using an identifiable source port


-- 
"The most difficult subjects can be explained to the most slow witted 
man if he has not formed any idea of them already; but the simplest 
thing cannot be made clear to the most intelligent man if he is firmly 
persuaded that he knows already, without a shadow of doubt, what is laid 
before him."

    - Leo Tolstoy

Back to comp.os.linux.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Guaranteeing SSH access to specific clients Harold Johanssen <noemail@please.net> - 2022-12-08 19:47 +0000
  Re: Guaranteeing SSH access to specific clients "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-08 16:31 -0500
    Re: Guaranteeing SSH access to specific clients Harold Johanssen <noemail@please.net> - 2022-12-09 01:20 +0000
      Re: Guaranteeing SSH access to specific clients "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2022-12-08 21:43 -0500
      Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-09 03:34 +0000
      Re: Guaranteeing SSH access to specific clients stepore <stepore@be.here.now> - 2022-12-08 19:34 -0800
      Re: Guaranteeing SSH access to specific clients "Carlos E.R." <robin_listas@es.invalid> - 2022-12-09 04:42 +0100
        Re: Guaranteeing SSH access to specific clients "26C.Z969" <26C.Z969@noaada.net> - 2022-12-09 01:53 -0500
      Re: Guaranteeing SSH access to specific clients Henning Hucke <h_hucke+spam.news@newsmail.aeon.icebear.org> - 2022-12-09 06:43 +0000
      Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-09 13:29 +0000
      Re: Guaranteeing SSH access to specific clients Allodoxaphobia <trepidation@example.net> - 2022-12-09 13:55 +0000
        Re: Guaranteeing SSH access to specific clients Pancho <Pancho.Jones@proton.me> - 2022-12-09 14:08 +0000
    Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-09 03:34 +0000
      Re: Guaranteeing SSH access to specific clients Andreas Kohlbach <ank@spamfence.net> - 2022-12-09 12:44 -0500
        Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-09 17:52 +0000
  Re: Guaranteeing SSH access to specific clients Andreas Kohlbach <ank@spamfence.net> - 2022-12-08 22:31 -0500
  Re: Guaranteeing SSH access to specific clients Richard Kettlewell <invalid@invalid.invalid> - 2022-12-09 12:36 +0000
  Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-09 13:27 +0000
  Re: Guaranteeing SSH access to specific clients Harold Johanssen <noemail@please.net> - 2022-12-09 14:48 +0000
    Re: Guaranteeing SSH access to specific clients Tauno Voipio <tauno.voipio@notused.fi.invalid> - 2022-12-09 17:42 +0200
      Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-09 17:36 +0000
        Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-09 19:35 +0000
          Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-10 09:53 +0000
            Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-10 13:58 +0000
            Re: Guaranteeing SSH access to specific clients Pancho <Pancho.Jones@proton.me> - 2022-12-10 14:08 +0000
              Re: Guaranteeing SSH access to specific clients Pancho <Pancho.Jones@proton.me> - 2022-12-10 14:15 +0000
            Re: Guaranteeing SSH access to specific clients Andreas Kohlbach <ank@spamfence.net> - 2022-12-10 19:25 -0500
              Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-11 00:53 +0000
                Re: Guaranteeing SSH access to specific clients "Carlos E.R." <robin_listas@es.invalid> - 2022-12-11 10:37 +0100
                Re: Guaranteeing SSH access to specific clients Robert Heller <heller@deepsoft.com> - 2022-12-11 12:50 +0000
                Re: Guaranteeing SSH access to specific clients "Carlos E.R." <robin_listas@es.invalid> - 2022-12-11 20:55 +0100
                Re: Guaranteeing SSH access to specific clients Pancho <Pancho.Jones@proton.me> - 2022-12-12 09:35 +0000
                Re: Guaranteeing SSH access to specific clients Richard Kettlewell <invalid@invalid.invalid> - 2022-12-13 08:36 +0000
                Re: Guaranteeing SSH access to specific clients "Carlos E. R." <robin_listas@es.invalid> - 2022-12-15 18:09 +0100
      Re: Guaranteeing SSH access to specific clients Harold Johanssen <noemail@please.net> - 2022-12-09 22:03 +0000
        Re: Guaranteeing SSH access to specific clients The Natural Philosopher <tnp@invalid.invalid> - 2022-12-10 09:56 +0000
          Re: Guaranteeing SSH access to specific clients Ted Heise <theise@panix.com> - 2022-12-16 18:40 +0000

csiph-web